Gh0stCringe RAT Being Distributed to Vulnerable Database Servers

The ASEC analysis team is constantly monitoring malware distributed to vulnerable database servers (MS-SQL, MySQL servers). This blog will explain the RAT malware named Gh0stCringe[1].

Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT. It was first discovered in December 2018, and it is known to have been distributed via SMB vulnerability (using the SMB vulnerability tool of ZombieBoy).[2] Since then, no direct relationship has been found, but it was mentioned in the KingMiner CoinMiner analysis report[3] published in June 2020.

Gh0stCringe RAT that is recently being discovered is being distributed to vulnerable database servers. Gh0stCringe-related logs in AhnLab’s ASD show that logs were not only created by the sqlservr.exe process (MS-SQL server) but also by the MySQL server process for Windows environment (see figure below).

Figure 1. Gh0stCringe RAT creation logs

Considering the fact that MySQL servers are targets of attack in addition to MS-SQL servers, it can be assumed that Gh0stCringe targets poorly-managed DB servers with vulnerable account credentials.

Since database servers with vulnerable account credentials usually become targets of various attackers and malware, many different malware infection logs were found. In fact, the typical attack path of KingMiner malware that was mentioned above was an attack against SQL servers with vulnerable account credentials. Furthermore, the infection log of systems installed with Gh0stCringe shows a history of infection from different malware other than KingMiner such as Vollgar CoinMiner[4] that are distributed through brute force attacks.

Gh0stCringe was created based on the source code of publicly released Gh0st RAT. The following is a comparison between the CFileManager::OpenFile() function of Gh0st RAT that was publicly released and the function of Gh0stCringe. It shows that a part of the source code was used without modifications. Note that unlike normal variants where the majority of their codes is similar to the original code based on the Gh0st RAT source code, the majority of Gh0stCringe codes is unique just like how Gh0stCringe has its own name.

Figure 2. Gh0stCringe that utilizes Gh0st RAT source code

As its name suggests, Gh0stCringe RAT is a RAT malware that connects to the C&C server and performs various malicious behaviors by receiving commands from the attacker. The attacker can designate various settings to Gh0stCringe just like other RAT malware. The explanations in this blog are based on the analyzed sample.

The following is settings data of various features that can be performed when executed in addition to the C&C commands. There are 7 settings, and the malware performs different behaviors depending on the configured data.

Figure 3. Gh0stCringe settings data
  • Self-copy [On/Off]: If turned on, copies itself to a certain path depending on the mode.
  • Mode of execution [Mode]: Can have values of 0, 1, and 2. See below for explanations on the modes.
  • File size change [Size]: In Mode #2, the malware copies itself to the path ‘%ProgramFiles%\Cccogae.exe’, and if there is a set value, it adds junk data of the designated size to the back of the file.
  • Analysis disruption technique [On/Off]: Obtains the PID of its parent process and the explorer.exe process. If it results in a value of 0, terminates itself.
  • Keylogger [On/Off]: If turned on, keylogging thread operates.
  • Rundll32 process termination [On/Off] If turned on, executes ‘taskkill /f /im rundll32.exe’ command to terminate the rundll32 process that is running.
  • Self-copy file property [Attr]: Sets property to read-only, hidden, and system (FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM).

The keylogging feature can operate by receiving a command from the C&C server, and it can also be activated depending on the settings data. Unlike Gh0st RAT which uses the Windows Hooking method (use of SetWindowsHookEx() API), Gh0stCringe uses the keylogging technique of Windows Polling method (using GetAsyncKeyState() API).

Figure 4. Keylogging that uses GetAsyncKeyState() API

The malware saves logged user key inputs to the path ‘%SystemDirectory%\Default.key’ by single-byte XOR encoding similarly to Gh0st RAT. In this case, 0x62 was used as the key.

Figure 5. XOR encoding with 0x62

Gh0stCringe supports four different modes. The three modes are the values of the settings data mentioned above, which were 0, 1, and 2. In addition to them, the malware is executed in an exclusive mode in Windows 10 version. All modes ultimately communicate with the C&C server and perform commands, but there are differences in their features related to maintaining persistence.

  • Mode #0: If the ‘Rsuyke mkgcgkuc’ service does not exist, the malware creates the service but does not register it in a proper way. If the self-copy setting is turned on, the malware copies itself to the path %ProgramFiles% with a random name. As the created service is not registered in a proper way and the malware does not use additional techniques such as Run Key registration, persistence is not maintained.
  • Mode #1: Just like in Mode #0, the malware creates an abnormal ‘Rsuyke mkgcgkuc’ service. It registers the service to HKLM Run Key, enabling it to maintain persistence.
  • Mode #2: The malware copies itself to the path %ProgramFiles%\Cccogae.exe’ and registers to ‘Rsuyke mkgcgkuc’ service. When it executes the service, it gives ‘Win7’ as the argument and executes Gh0stCringe. As the service is registered in a proper way, persistence is maintained. Additionally, if the self-copy settings is turned on, it copies itself to the path ‘%SystemDirectory%[Random].bak’.
  • Mode Windows 10: It registers to HKCU Run Key, enabling it to maintain persistence.
Figure 6. Rsuyke mkgcgkuc service registered in a proper way

After the initial routine, it connects to the C&C server and communicates periodically, waiting for the attacker’s command. Apart from the command perform routine, it collects the following information of the infected system on initial connection and sends it to the C&C server.

OffsetSizeDescription
+0x00000x010xC8
+0x00010x07“Default”
+0x00240x04IP address of the infected system
+0x00280x04Host name of the infected system
+0x005C0x9CWindows ver.
+0x00F80x04Number of CPUs
+0x010C0x04CPU speed (GHz)
+0x01140x04Network performance
+0x01180x04Number of webcams
+0x011C0x04Wow64 availability
+0x01200x04Memory capacity (MB)
+0x01240x04Local disk capacity (MB)
+0x01280x04Date of malware installation
+0x0159N/AList of installed security products
+0x01BEN/ACertain data area (not used)
+0x02040x04Network interface speed (Mbps)
+0x02080x04“V9.0”
+0x02280x04Whether there were key inputs in the last 3 minutes
Table 1. Structure of data collected from the infected system

The most noticeable collected data is the list of installed security products. The malware scans the names of the currently running processes compares them to the following list, and if they match, it records the information and sends it to the C&C server.

Figure 7. A part of the list of scanned security products

The original Gh0st RAT uses a signature string called “Gh0st” just like its name to communicate with the C&C server. The following is the routine that decides on the “Gh0st” string via PacketFlag in the original Gh0st RAT.

Figure 8. Gh0st signature string

The following is the packet structure of Gh0stCringe before its encryption. The information of the infected system listed above was a 0x22C size, and additional data of a 0xF size was added in the front. The “xy “ string (first 3 bytes 0x787920) is the signature string of Gh0stCringe.

Figure 9. Packet structure of Gh0stCringe before encryption

The following table provides the details on the structure of the packet before its encryption:

OffsetSizeDataDescription
+0x000x03“xy “Signature string
+0x030x040x0000023BTotal packet size
+0x070x040x0000022CSize of data to be sent
+0x0B0x040x00000001Hard-coded data
+0x0FVariableVariableData collected from the infected system
Table 2. Packet structure

The data that has been created goes through a self-encoding method and is ultimately encrypted. The following is the packet encryption routine and the packet created through this process to be sent to the C&C server:

Figure 10. Packet encryption routine
Figure 11. Encoded information of the infected system to be sent to C&C server

The following is a list of various commands that can be received from the C&C server and performed. Some of the commands of Gh0stCringe exist in the original Gh0st RAT, but there are many unique commands as well.

Performing Commands
Downloader: Downloads additional payload from the C&C server and executes it. Can send specific arguments.
– Connecting to a specific URL: Connects to a specific website via Internet Explorer There is an option to hide the window so that the user does not notice it.
– Destroying MBR

Stealing Information
– Keylogging: Regardless of whether there is settings data or not, keylogging can be performed by the C&C server’s command.
– Stealing clipboard: Steals the saved data to the current clipboard.
– Collecting Tencent-related file information: Collects the list of files in the path ‘%APPDATA%\Tencent\Users\’, and it is assumed that it would normally include user data related to QQ Messenger.

Self-Control
– Update: Updates the malware
– Uninstall: Deletes the registered service and self-deletes using a batch file. Also deletes the keylogging data Default.key file.
– Service control: Changes the ‘Host’ or ‘ConnectGroup’ item for the malware service (‘Rsuyke mkgcgkuc’).
– Event Cleanup
– Registering Run Key: Registers Run Key for the path ‘C:\Program Files\Common Files\scvh0st.exe’.

System Control
– Terminating system
– Rebooting NIC

Additional Module Control
Downloads an additional module from the C&C server to memory and loads it to call the following export function. Judging by the export function, the first module appears to be a proxy-related module, and the second module appears to be a Plugin module with additional features.
– Module #1: Export function OpenProxy(), CloseProxy()
– Module #2: Export function PluginMe()

Others
– Scanning whether a certain process is running
– Scanning for the existence of certain Windows
– Writing for a certain registry: ‘HKLM\SYSTEM\Clore / Clore’
– Message pop-up

Typical attacks that target database servers (MS-SQL, MySQL servers) include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Although it seems like these methods make up the majority of the attacks, there can be vulnerability attacks against systems where their vulnerability has not been patched.

In the case of MS-SQL servers, servers that have been installed by ERP and work-purpose solutions are being targeted by attackers in addition to the servers that are established normally. Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and maintain the latest patch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access of external attackers.

AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.

[File Detection]
– Backdoor/Win.Gh0stRAT.C4976413 (2022.02.19.00)
– Backdoor/Win.Gh0stRAT.C4976420 (2022.02.19.00)

[IOC]
MD5

– bd8611002e01d4f9911e85624d431eb0
– 9adc9644a1956dee23c63221951dd192
– 782cbc8660ff9e94e584adfcbc4cb961

C&C
– tuwu.meibu[.]net:2220
– 172.86.127[.]224:8000

[References]
[1] https://twitter.com/James_inthe_box/status/1125004664041197568
[2] https://www.binarydefense.com/gh0stcringeformerly-cirenegrat/
[3] https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-labs-kingminer-botnet-report.pdf
[4] https://www.guardicore.com/blog/vollgar-ms-sql-servers-under-attack/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
Subscribe
Notify of
guest

54 Comments
Inline Feedbacks
View all comments
trackback

[…] previously used by Chinese groups like Naikon and Goblin Panda), a Gh0st RAT variant known as Gh0stCringe, and Winnti, a multi-functional implant capable of granting remote control to an infected […]

trackback

[…] previously used by Chinese groups like Naikon and Goblin Panda), a Gh0st RAT variant known as Gh0stCringe, and Winnti, a multi-functional implant capable of granting remote control to an infected […]

trackback

[…] previously used by Chinese groups like Naikon and Goblin Panda), a Gh0st RAT variant known as Gh0stCringe, and Winnti, a multi-functional implant capable of granting remote control to an infected […]

trackback

[…] RAT’s variant Gh0stCringe RAT was distributed to database servers (MS-SQL and MySQL server) [3] and later posted the case where HiddenGh0st—the variant of Gh0st RAT that simultaneously […]